A vulnerability has been found in Kallithea.
The vulnerability that allowed logged-in users to edit or delete open pull requests associated with any repository to which they had read access, plus a related vulnerability allowing logged-in users to delete any comment from any repository, provided they could determine the comment ID and had read access to just one repository.
Søren Løvborg wrote a patch fixing the issue, which is included in the release 0.3.2. Users are advised to upgrade as soon as possible.
As far as we know, the issue is present in all previously released Kallithea versions.
Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/81057be7a5c10e1cd08d32c923468e41cf417ed1